FROM  0  TO  SECURE  IN  1  MINUTENIR  VALTMAN

About  me

I  am  working  in as  the  <HEAD>  Application  Security </HEAD>

,  except  at  

Neither  of  my  previous  startups  succeeded!

1st time  speaking  publicly

But  at  least  I  invented  few  open  source  tools.  

Mmmm…  OH,  AND

Cloud  security  challenges  and  benefitsAnd  more  specifically,  using  IaaS automation  and  orchestration  features  for  increasing  the  security

Dashboard Billing API

Orchestration

Hypervisor Controller Abstraction

PhysicalServers Network Storage

About  the  talk

About  the  talk

Cloud  Attack  Vectors

Provider  administration

Management  console

Multi  tenancy  &  

virtualization

Automation  &  API

Chain  of  supply

Side  channel  attack

Insecure  instances

Anatomy  of  a  cloud  hack

Anatomy  of  a  cloud  hack  – BrowserStack’s Story

Shell  shock  vulnerability  on  unused  server

Found  API  key  on  the  hacked  server

Opened  a  firewall   rule  

and  launched  an  instance  using the  API  key

Attached  a  backup  

volume  to  the  instance

Found  database  credentials  on  backup  device

Connected  to  DB

SOURCE:  https://www.browserstack.com/attack-­‐and-­‐downtime-­‐on-­‐9-­‐November

Do  we  have  the  right  tools?

SOURCE:  http://ifail.info/wp-­‐content/uploads/2010/04/street_dentist_thumb.jpg?98bbf9

Secure  SDLC

Secure  SDLC

Dynamic/Interactive  application  security  testing  (DAST/IAST)

Secure  Infrastructure?

Secure  Infrastructure?

Static  code  analysis

Software  composition  analysis

Secure  Infrastructure?

The  existing  security  tools  for  DevOps

Signing  and  Obfuscation

Check  out  code  and  Build Unit  testing Quality  control

Deployment  to  test

environment

Fetch  latest  builds

Integration  testing

Packaging  and  archiving

Fetch  release  ready  builds

Deployment to  pre-­‐prod  

environment

Acceptance  testing

Deployment  to  production

Micro-­‐Services  Architecture  

DEV OPS

ContinuousDelivery

1  hour

10  min

1  min  

Architecture  &  deployments  are  changing  

The  billing  cycles  are  being  reduced

Google slashes  cloud  platform  price  again

Microsoftwill  offer  Azure  by  the  minute  to  

take  on  Amazon’s  cloud

Microsoft follows  Google  with  by-­‐the-­‐minute  cloud  

blending

AUTO  SCALING

The  challenge

How  to  do  security  when  servers  alive  for  10  minutes?

Patch  management Maintenance  windows

Periodic  vulnerability  scanning

Hardening

DON’T  LET  SECURITY  TO  HOLD  YOU  DOWN

Introducing

Launch Configure  and  harden Scan Move  to  

Production

SOURCE: https://github.com/valtmanir/Cloudefigo

Based  on  the  work  made  by  Rich  Mogull from  Securosishttps://github.com/rmogull/PragmaticNetSecManagement

Cloudefigo’s lifecycle

Server  launch1Server  loads  security    

configuration

Server  encrypts  disk  volumes

Server  scanned  for  vulnerabilities  

Server  moves  to  production

S3

2

3

4

5

Components

Object  Storage

Vulnerability  Scanner Cloud-­‐Init

Configuration  Management IAM  Roles Volume  

Encryption

Instance’s  lifecycle

Launch

Update

Control

Scan

Production

Terminate

LAUNCH

Prepare

Cloudinit

ü Each  instance  manages  its  own  attributes§ Encryption  keys  § Remediation  vs.  production  groups

ü Management  of  these  attributes  requires  permissions

ü Permissions  during  launch  > production

ü Thus,  a  dynamic  IAM role  is  required

LAUNCH

Prepare

Cloudinit

LAUNCH

Prepare

Cloudinit

ü Executed  in  root permissions  when  image  is  launching.

ü Responsible  for  building  the  infrastructure  for  the  following  steps.

LAUNCH

Prepare

Cloudinit

LAUNCH

Prepare

Cloudinit

UPDATE

OS  update

Pre-­‐requisites

Any  risks?

ü CloudInit to  update  &  upgrade  software  packages

ü The  primary  goal  is  to  make  sure  the  cloud  instance  is  secure  once  upgraded

Need  to  make  sure  the  pre-­‐prod/test/CI  environments  include  the  recent  operating  system  

updates  as  well!  

UPDATE

OS  update

Pre-­‐requisites

ü CloudInit to  install  the  software  packages  required  to  operate:  § Python  +  pip  +  wheel§ AWS  SDK  (Boto)§ Chef  Client  +  Chef  SDK  (PyChef)

ü Download  configurations  and  scripts  from  S3:§ Cloudefigo script§ Chef  client  initialization  files

ü Cloudinit to  create  and  attach  a  volume  for  application  files  and  data.  

CONTROL

Chef  Registration  

Encrypt

ü The  Chef  clients  register  to  the  Chef  Management  server  using  the  initialization  files  loaded  from  S3.

ü Once  the  client  is  registered,  a  policy  is  loaded  and  enforced  on  the  instance.  

CONTROL

Chef  Registration  

Encrypt

Where  should  you  keep  your  keys?  

Cloud  Provider On  Premise 3rd Party

Protected Snapshots  and  backups

Snapshots,  backups,subpoena  and  malicious  insiders

Snapshots,  backups  and  cloud  provider’s  malicious  insiders

Vulnerable Maliciousinsider  attacksand  subpoena

Key exchange  attacks

Key  exchange  attacks  and  subpoena  (partial)

CONTROL

Chef  Registration  

Encrypt

ü The  volume  to  be  encrypted  using  randomly  generated  key.§ The  key  is  kept  in  S3  for  later  use.

ü The  application  database  to  be  installed  in  the  encrypted  volume.

Instance  1

Instance  2

Instance  3

Bucket  2f3g

Bucket  5dw4

Bucket  8H7g

Key  ID  5dw4

Key  ID  8H7g

Key  ID  2f3g

Key  1#Fd3

Key  vFS3=

Key  Bs$a

CONTROL

Chef  Registration  

Encrypt

ü Dynamic  S3  policy:    access  to  the  encryption  key  requires  a  referrer  header  that  is  generated  based  on  attributes  from  the  instance.

CONTROL

Chef  Registration  

Encrypt

CONTROL

Chef  Registration  

Encrypt

SCAN

Automatic  Scan

Analyze

ü A  vulnerability  scan  to  be  launched  automatically  by  the  CloudInit script.

ü The  deeper  the  scan,  the  longer  it  takes  to  move  the  instance  to  production.  

SCAN

AutomaticScan

Analyze

ü The  results  of  the  scan  are  analyzed  by  the  Cloudefigo script.

ü Based  on  successful  scan  results – the  instance  to  move  to  production  or  remain  in  the  remediation  group.

ü The  lowest  security  risk  severity  can  be  defined.

SCAN

AutomaticScan

Analyze

SCAN

AutomaticScan

Analyze

PRODUCTION

Least  privileged  role

Manage

ü Reminder:    Permissions  in  launch  >  production

ü IAM  role  permissions  reduced  dynamically  -­‐contains  read  only  access

PRODUCTION

Least  privileged  role

Manage

ü For  the  ongoing  operations  – compensating  controls  are  required.  

ü Cloudefigomanagement  script  lists  cloud  instances  and  validates  they  are  managed  by    Chef

ü Cloudefigo will  set  alert  when  someone  will  try  to  use  access  keys.  

PRODUCTION

Least  privileged  role

Manage

Building   the  CloudWatch alarm

PRODUCTION

Least  privileged  role

Manage

PRODUCTION

Least  privileged  role

Manage

PRODUCTION

Least  privileged  role

Manage

TERMINATE

Instance

EncryptionKeys

ü The  life  cycle  ends  once  a  server  is  terminated  along  with:§ Attached  volumes§ IAM  role

TERMINATE

Instance

EncryptionKeys

ü The  instance  data  still  exists  in  backups/snapshots  or  provider  storage

ü Encryption  keys  to  be  deleted  with  instance  in  order  to  make  sure  the  backup  data  remains  inaccessible  (not  implemented  in  this  version)

Wrapping  Up

The  new  software  architecture  and  applications  delivery  in  cloud  module  disrupts  traditional  correctives  controls  

We  need  to  adopt  new  thinking  to  automate  security  

Think  how  security  automation  can  help  you  in  moving  your  infrastructure  forward.  Faster.

Questions

Nir  Valtman@:  nir.valtman (at)  ncr.com  w:  www.ncr.com  |  www.valtman.orgin:  www.linkedin.com/in/valtmanirt:  @ValtmaNir

Did  I  mention  that  I’m  HIRING?  Building   the  A-­‐TEAM!